Snort mailing list archives
Re: How to extract part of “content” and print in “msg” of a Snort Alert
From: Jeffrey Stebelton <jstebelton () netjets com>
Date: Thu, 18 Apr 2013 12:35:49 +0000
Does that mean in the future Snort would have the ability to include packet data in the alert? That would be a really nice feature for Snort/Sourcefire, and about the only advantage that Enterasys Dragon has over Sourcefire (I ran Dragon for over 10 years at a previous job). Including the packet data mean an intrusion analyst can make a rudimentary analysis of the alert right from his phone or pager. That’s the one feature from Dragon I really miss. Jeff Stebelton GCIA GCIH GCFW CEH SFCP Senior Information Security Analyst NetJets Inc. 4111 Bridgeway Avenue Columbus, OH 43219 T: (614) 849-7281 C: (614) 364-3078 E: jstebelton () netjets com<mailto:jstebelton () netjets com> www.netjets.com<http://www.netjets.com/> NetJets® Inc. is a Berkshire Hathaway company. From: Joel Esler [mailto:jesler () sourcefire com] Sent: Monday, April 15, 2013 10:59 AM To: Heshan Perera Cc: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] How to extract part of “content” and print in “msg” of a Snort Alert On Apr 15, 2013, at 9:06 AM, Heshan Perera <anthonyheshanperera () gmail com<mailto:anthonyheshanperera () gmail com>> wrote: I am trying to write a Snort rule that will allow me to print the name of a file being downloaded via FTP. The following is the rule I have so far... alert tcp any any <> any any (content:"RETR:";msg:"A file is being downloaded.";sid:1000004;) While this rule works, I can't figure out how to print the name of the file in the "msg" component of the alert. For example I would want the output of the alert to be something like... "A file is being downloaded. The file name is foo.txt". The file name is available in the content of the FTP traffic (RETR: /foo.txt) I just cannot figure out how to extract that content and print it as a part of the message. Any help on this would be highly appreciated. This is not a feature that Snort currently supports in any version. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire *** *** *** This message contains information which may be confidential and privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail and delete the message.
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- How to extract part of “content” and print in “msg” of a Snort Alert Heshan Perera (Apr 15)
- Re: How to extract part of “content” and print in “msg” of a Snort Alert Joel Esler (Apr 15)
- Re: How to extract part of “content” and print in “msg” of a Snort Alert Jason Haar (Apr 17)
- Re: How to extract part of “content” and print in “msg” of a Snort Alert Jeffrey Stebelton (Apr 18)
- Re: How to extract part of “content” and print in “msg” of a Snort Alert Joel Esler (Apr 15)